Advisories MDKSA-2006:150: Updated kernel packages fix multiple vulnerabilities

[paul]

A number of vulnerabilities were discovered and corrected in the Linux

2.6 kernel:

 

Prior to 2.6.15.5, the kerenl allowed local users to obtain sensitive

information via a crafted XFS ftruncate call (CVE-2006-0554).

 

Prior to 2.6.15.5, the kernel did not properly handle uncanonical

return addresses on Intel EM64T CPUs causing the kernel exception

handler to run on the user stack with the wrong GS (CVE-2006-0744).

 

ip_conntrack_core.c in the 2.6 kernel, and possibly

nf_conntrack_l3proto_ipv4.c did not clear sockaddr_in.sin_zero before

returning IPv4 socket names from the getsockopt function with

SO_ORIGINAL_DST, which could allow local users to obtain portions of

potentially sensitive memory (CVE-2006-1343).

 

Prior to 2.6.16.17, the a buffer overflow in SCTP in the kernel allowed

remote attackers to cause a Denial of Service (crash) and possibly

execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857).

 

Prior to 2.6.16.17, SCTP in the kernel allowed remote attackers to

cause a DoS (crash) and possibly execute arbitrary code via a chunk

length that is inconsistent with the actual length of provided

parameters (CVE-2006-1858).

 

Prior to 2.6.16, a directory traversal vulnerability in CIFS could

allow a local user to escape chroot restrictions for an SMB-mounted

filesystem via ".." sequences (CVE-2006-1863).

 

Prior to 2.6.16, a directory traversal vulnerability in smbfs could

allow a local user to escape chroot restrictions for an SMB-mounted

filesystem via ".." sequences (CVE-2006-1864).

 

Prior to 2.6.17, Linux SCTP allowed a remote attacker to cause a DoS

(infinite recursion and crash) via a packet that contains two or more

DATA fragments, which caused an skb pointer to refer back to itself

when the full message is reassembled, leading to an infinite recursion

in the sctp_skb_pull function (CVE-2006-2274).

 

The dvd_read_bca function in the DVD handling code assigns the wrong

value to a length variable, which could allow local users to execute

arbitrary code via a crafted USB storage device that triggers a buffer

overflow (CVE-2006-2935).

 

Prior to 2.6.17, the ftdi_sio driver could allow local users to cause

a DoS (memory consumption) by writing more data to the serial port than

the hardware can handle, causing the data to be queued (CVE-2006-2936).

 

The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers

to cause a DoS (file system panic) via a crafted UDP packet with a V2

lookup procedure that specifies a bad file handle (inode number),

triggering an error and causing an exported directory to be remounted

read-only (CVE-2006-3468).

 

The 2.6 kernel's SCTP was found to cause system crashes and allow for

the possibility of local privilege escalation due to a bug in the

get_user_iov_size() function that doesn't properly handle overflow when

calculating the length of iovec (CVE-2006-3745).

 

The provided packages are patched to fix these vulnerabilities. All

users are encouraged to upgrade to these updated kernels immediately

and reboot to effect the fixes.

 

To update your kernel, please follow the directions located at:

 

http://www.mandriva.com/en/security/kernelupdate